use of org.bimserver.webservices.authorization.MonitorAuthorization in project BIMserver by opensourceBIM.
the class LoginDatabaseAction method execute.
@Override
public String execute() throws UserException, BimserverLockConflictException, BimserverDatabaseException, ServerException {
BimDatabaseAction<User> action = new GetUserByUserNameDatabaseAction(getDatabaseSession(), getAccessMethod(), username);
User user = action.execute();
if (user != null) {
if (user.getPasswordHash() == null || user.getPasswordHash().length == 0) {
throw new UserException("Your email address has not been validated yet");
}
if (new Authenticator().validate(password, user.getPasswordHash(), user.getPasswordSalt())) {
if (user.getState() == ObjectState.DELETED) {
throw new UserException("User account has been deleted");
} else if (user.getUserType() == UserType.SYSTEM) {
throw new UserException("System user cannot login");
}
Authorization authorization = null;
int sessionTimeOutSeconds = 60 * 10;
boolean migrationRequired = bimServer.getDatabase().getMigrator().migrationRequired();
if (!migrationRequired) {
sessionTimeOutSeconds = bimServer.getServerSettingsCache().getServerSettings().getSessionTimeOutSeconds();
}
if (user.getUserType() == UserType.ADMIN) {
authorization = new AdminAuthorization(sessionTimeOutSeconds, TimeUnit.SECONDS);
} else if (user.getUserType() == UserType.MONITOR) {
authorization = new MonitorAuthorization(sessionTimeOutSeconds, TimeUnit.SECONDS);
} else {
authorization = new UserAuthorization(sessionTimeOutSeconds, TimeUnit.SECONDS);
}
authorization.setUoid(user.getOid());
authorization.setUsername(user.getUsername());
String asHexToken = authorization.asHexToken(bimServer.getEncryptionKey());
serviceMap.setAuthorization(authorization);
bimServer.getAuthCache().store(asHexToken, authorization);
if (!migrationRequired && bimServer.getServerSettingsCache().getServerSettings().isStoreLastLogin()) {
user.setLastSeen(new Date());
getDatabaseSession().store(user);
}
return asHexToken;
}
}
try {
// Adding a random sleep to prevent timing attacks
Thread.sleep(DEFAULT_LOGIN_ERROR_TIMEOUT + new java.security.SecureRandom().nextInt(1000));
} catch (InterruptedException e) {
LOGGER.error("", e);
}
throw new UserException("Invalid username/password combination");
}
Aggregations